Asuswrt-Merlin Changelog

========================

380.59 (xx-xxx-2016)

- NEW: Merged with 380_2345 GPL

- CHANGED: WAN -> NAT Passthrough now allows you to determine wether or not to load

the NAT helper module for h323, rtsp and sip. Asus's old behaviour is

"Enabled + NAT Helper".

- CHANGED: DNSFilter client dropdown now uses Asus's new one integrated with networkmap.

- CHANGED: minidlna now supports refreshing an existing database, so the Tweak setting

was updated accordingly

380.58 (20-Mar-2016)

- NEW: Merged with 380_1354 GPL

- NEW: Added Tweaks and Hacks settings to Tools -> Other Settings.

These are UNSUPPORTED tweaks, intended mostly for

experimentation, or very specific situations. If unsure how

to apply these, manually reboot after changing them.

One of new settings there lets you disable hourly network

rescans, to resolve issues with NAS/printers coming out

of sleep every hour.

- NEW: Added setting to configure OpenVPN's auth digest algo.

- NEW: Added setting to configure OpenVPN's logging verbosity.

Note that this setting is global to all clients/servers.

- CHANGED: Updated OpenVPN to 2.3.10

- CHANGED: Updated openssl to 1.0.2g

- CHANGED: Updated miniupnpd to 1.9.20160222

- CHANGED: Updated udpxy to 1.0-build 23-10 (backport from GPL

380_2345)

- CHANGED: if you set an OpenVPN client DNS mode to "Exclusive"

and you enable policy-based routing, then those policies

will also determine which DNS to use (the tunnel's or

the ISP's). This is based on DNSFilter's technology.

You no longer need to use DNSFilter to control

the DNS used by your OpenVPN clients.

- CHANGED: Made OpenVPN traffic bypass CTF, which resolves

some throughput issues with it

- CHANGED: Disabled X11 Forwarding support in Dropbear,

for security reasons.

- FIXED: PPTP static route handling script was broken

- FIXED: minidlna would check for the wrong database filename

at start time

- FIXED: Wrong status shown for VPN Client 3

- FIXED: OpenVPN clients were run on the wrong CPU cores.

Now, odd instances correctly run on the second core.

- FIXED: Using DNSFilter with default mode set to "router" would

prevent using the router for IPv6 lookups.

- FIXED: Account limit wasn't properly allowing up to 10

clients for SMB/FTP (patch by vit9696)

- FIXED: Having multiple OpenVPN clients configured with

multiple "Accept DNS configuration" modes would

only apply the last client's setting. Now, we

apply the most restrictive setting of all

configured clients.

- FIXED: RT-AC68U 2.4 GHz was broken if CTF was disabled

(downgraded wifi driver to 6.37.14.105)

- FIXED: Diasbling the SIP NAT helper would also drop all port 5060

traffic. Some users need to keep the SIP helper disabled

with their SIP client. Reverted that GPL 858 change.

380.57 (24-Dec-2015)

- NEW: Merged with 380_1031 GPL

- NEW: Added RT-AC3100 and RT-AC5300 support

- NEW: Added RT-AC68U HW Revision C1 support

- NEW: Backup/Restore of the content of the JFFS

partition (under Administration Restore/Save Settings)

- NEW: Added DNSSEC support. Can be enabled under LAN -> DHCP.

- NEW: Added custom/postconf support for igmpproxy.conf.

- CHANGED: Increased user account limit from 16 to 32 on

the VPN server pages.

- CHANGED: Updated e2fsprogs to 1.42.13

- CHANGED: Increased maximum entries in Parental Control

(time scheduler) to 32.

- CHANGED: Updated miniupnpd to 1.9.20151119.

- CHANGED: Updated Openssl to 1.0.2e.

- CHANGED: Downgraded Dropbear to 2014.66, too many issues in

the newer releases.

- CHANGED: Improvements to VPN Status page

- FIXED: CTF not automatically disabled when enabling IPTraffic.

- FIXED: Openvpn clients 3 through 5 were all run on the first

CPU core. They are now properly alternated like the

first two (odd on CPU1, even on CPU0)

- FIXED: smb.log generated by networkmap could fill up RAM

- FIXED: upnpc_xml.log generated by miniupnpc could fill up RAM

- FIXED: Inconsistant names used on IPTraffic and Sysinfo page.

Now, we give priority to any description manually entered

on the networkmap, followed by static hostname, then any

current (lease) hostname.

- FIXED: MAC queries sent to the OUI database were broken due to

changes on the IEEE website

- FIXED: Applying changes to OpenVPN client page would start the

client even if it was disabled/stopped.

378.56_2 (2-Nov-2015)

- CHANGED: Reverted the memory buffering optimization

for ARM devices, as people keep panicking

over the lower amount of free RAM. You can

manually re-enable the optimization by setting

"drop_caches=0" in nvram.

- CHANGED: Allow using a port < 1024 for http(s) webui

interface.

- FIXED: EMF wasn't working on AC56/AC68/AC87.

- FIXED: Couldn't connect to ISPs using VLANs (RT-AC87U)

- FIXED: Editing Port Forward entry with ellipsis in

the description or the port range would

still edit the shortened version instead

of the full content.

- FIXED: Debug log from mDNSNetMonitor could gradually

fill up RAM - disabled it.

- FIXED: Router crash if pasting SSH key > 2047

characters.

- FIXED: Editing an entry on the networkmap would

clear the hostname if entry existed in

the DHCP static list.

- FIXED: OpenVPN server in secret key mode

would fail to start.

- FIXED: Couldn't add entries to the MAC Filter list

of Guest Networks (reverted our previous

implementation which conflicted with

Asus's new one).

- FIXED: NTP failing to refresh for some cases.

Implemented temporary workaround.

- FIXED: Some services not properly starting at

boot time (like Parental Control or Tor)

378.56 (25-Oct-2015)

NOTE: There is no 378.56 build for the RT-N66U at

this time, as Asus hasn't released updated

source code for this model yet, and there are

new closed source binary components that are

necessary for this new release.

Make sure to read the changelog of the two

previous betas for the complete list of

changes since 378.55.

- CHANGED: Nameserver handling is more resilient to

scenarios where dnsmasq fails to start due

to a broken configuration

- FIXED: PPTP/L2TP client page broken on French locale

- FIXED: Entries on the Virtual Server page with ellipsis

in their name or port range weren't properly

copied to the Add fields when edited.

- FIXED: Additional fixes to truncated hostnames related

to networkmap

378.56 Beta 2 (18-Oct-2015)

- CHANGED: Increased Guest MAC filter entries limit to 64.

- CHANGED: DHCP query logging no longer override configured

syslog level, and option was renamed to "Hide queries"

to be more intuitive in regard to the level logging

configured.

- CHANGED: Enabling Hide DHCP queries also silences any RA

routine event.

- CHANGED: Reverted networkmap's printer detection change

as it didn't resolve the printer wakeups.

- CHANGED: Reorganized settings on the System page

- FIXED: QoS page layout in Firefox

- FIXED: curl wasn't using the firmware's CA list (regression)

- FIXED: Models with 128 KB support were only reporting 64 KB

in the nvram userspace tool

- FIXED: Traditional QoS not working when IPv6 is enabled

(patch by charlie2alpha)

- FIXED: Smart Connect page fails to save interface policies

- FIXED: VPNStatus page was broken on French locale

378.56 Beta 1 (12-Oct-2015)

- NEW: Merged with GPL 9177.

- NEW: Added support for the RT-AC88U.

- NEW: Support for Russian ISP Telenet (code by theMIROn)

- NEW: ipset support in dnsmasq (patch by ryzhov_al)

- NEW: default loglevel is now configurable and defaults to

5 (notice) instead of 0 (emergency)

- NEW: local syslogd loglevel is now configurable through the webui.

- NEW: Support for extra-certs in OpenVPN

- NEW: Editable DHCP static leases list, virtual servers, port triggers.

- NEW: IP addresses on the Network Service Filter page can now be

subnets in CIDR format (i.e. 10.0.0.0/24)

- CHANGED: Updated miniupnpd to 20150723 snapshot

- CHANGED: Updated openvpn to 2.3.8

- CHANGED: Updated dropbear to 2015.68 + upstream patches

- CHANGED: Updated minidlna to 1.1.5.

- CHANGED: Support up to 5 different OpenVPN clients (to match Asus)

- CHANGED: Maximum openvpn policy rules reduced from 128 to 100, fewer

priority slots wasted in the RPDB tables (could have been a

problem with the increase in the number of supported clients)

- CHANGED: Improvements to VPN Status page

- CHANGED: Connection failure reason shown on the OpenVPN client

configuration page.

- FIXED: Router crash when an invalid or corrupted DH parameter

is used on an OpenVPN server configuration.

- FIXED: 2.4 GHz temperature would be missing on the Sysinfo

page when disabling the 5 GHz radio on the RT-AC3200.

- FIXED: Max tracked connection limit wasn't user-editable

- FIXED: Resource leaks in ez-ipupdate if an update failed

- FIXED: Networked printers coming out of sleep every time

networkmap queried their LPR service

- FIXED: Resource leak in networkmap when scanning for

printer servers

- REMOVED: Regulation mode setting on Wireless -> Professional.

This can't be adjusted anymore, as it was moved to

a closed source component.

378.55 (17-July-2015)

- FIXED: DHCP lease page could get confused by IPv6 clients on

the LAN.

378.55 Beta 2 (11-July-2015)

- CHANGED: Updated dnsmasq to 2.73 RC9 (backport from GPL 6975)

- CHANGED: Updated odhcp6c to newer version (backport from GPL 6975)

- CHANGED: Updated openssl to 1.0.2d (fixes CVE-2015-1793, only present

in Beta 1 - 54_2 was not affected)

- CHANGED: Display existing key/certs on the OpenVPN pages once

they've been migrated to JFFS.

- FIXED: Time scheduler-related features (Parental Control & Wifi

scheduler) were broken (backported fix from Asus's GPL 6975)

(beta 1 regression)

- FIXED: QTN firmware was still being copied to RAM rather than rely

on the symlink to flash added in Beta 1, to save 4 MB of RAM.

(AC87U)

- FIXED: Dropbox cloud sync would fail on some setups (backport

from GPL 6975)

- FIXED: Entware-setup script would generate an invalid services-start

script

- FIXED: Duplicate zoneedit entry on the DDNS service list.

378.55 Beta 1 (3-July-2015)

- NEW: Merged with GPL 6117. Notable changes from Asus:

o New token-based webui authentication (more secure)

o OpenVPN certificates moved to JFFS2, saving nvram.

key/cert fields will show up empty on the webui,

any new key/cert you paste will be written back

to /jffs/openvpn/ . This means that if you revert

back to a previous version, your key/certs will

no longer be in nvram, so OpenVPN instances will

fail to start.

o New network client list on the network map

o CTF support for PPTP/L2TP WAN (Russian ISPs) (ARM)

- NEW: Reformatted DHCP lease list under System Log.

- NEW: Reformatted Port Forward page under System Log.

- NEW: Reformatted Route Table page under System Log.

- NEW: Reformatted IPv6 Status page under System Log.

- NEW: Display more details about UPNP/NAT-PMP/PCP redirections

on the Port Forward page.

- CHANGED: The JFFS2 partition is now always enabled, as it is

required by various firmware functions. The options

to format it or to enable/disable user config/scripts

remain configurable.

- CHANGED: Updated OpenVPN to 2.3.7.

- CHANGED: Updated OpenSSL to 1.0.2c.

- CHANGED: Use a pre-generated 2048-bit DH from RFC 3526 instead of

generating our own when doing the first time setup for

OpenVPN servers. This is necessary as openssl 1.0.2b and

up now reject 512-bit DHs, and generating a 1024-bit

would take far too long on a router.

The end-user still has the possibility of providing his

own - as long it's 1024-bit or stronger.

- CHANGED: Updated minidlna to upstream Git snapshot from 2015-06-26,

and switched to the newer build system.

- CHANGED: Upgraded ffmpeg from 0.6.0 to 0.7.17.

- CHANGED: Accept DHCP lease duration of up to 31 days on the DHCP page

- CHANGED: No longer regularly flush caches from memory on ARM

router. This will mean a lower amount of free memory is

shown, however that memory gets freed whenever something

actually needs it, so this is normal. (ARM)

- CHANGED: Display the size of cache memory on the Tools -> Sysinfo page

- CHANGED: Improvements to the Networkmap (ability to remove an entry,

removed the alert() from modifying an existing entry)

- CHANGED: Save over 4 MB of RAM on the RT-AC87U by not copying

the QTN firmware to RAM (RT-AC87)

- FIXED: Wireless Log page would fail to load if the SSID

contained certain characters

- FIXED: Wireless Log page would fail to load when in Media Bridge

mode on the RT-AC87U

- FIXED: DDNS page would complain about an empty account field

when setting it to CUSTOM with no prior value in that field.

- FIXED: Automatically generated DH was too weak (512-bit) and

preventing clients based on newer OpenSSL releases from

connecting. We automatically replace any weak PEM with our

2048-bit one.

- FIXED: minidlna could get stuck building its database (reverted

Asus's recent memory optimizations)

378.54_2 (10-June-2015)

- FIXED: The exported opvn config for clients had the incorrect port

value.

- FIXED: Busybox's zcip was missing a patch from 378_4950, preventing

it from working (and in turn preventing igmpproxy from working

for people with PPPoE connections where their modem does not

provide any DHCP lease to the physical WAN interface)

378.54_1 (8-June-2015)

- Some of the builds were unstable, did a complete recompile of all

releases. There was no code change.

378.54 (7-June-2015)

IMPORTANT: if you were previously using the AiProtection ad blocker, you

will need to manually disable it over SSH after flashing this

release, by running the following commands:

nvram set wrs_adblock_popup=0

nvram set wrs_adblock_stream=0

nvram commit

- NEW: Merged with Asus GPL 378_5134.

- NEW: OpenVPN policy rules can now be set to route matching traffic

through either the tunnel, or to your ISP (allowing you to

create exceptions to your tunnelling rules)

- NEW: Added OpenVPN server setting to let the OS manage

socket buffers (by inserting rcvbuf 0 and sndbuf 0 in

the server configuration)

- CHANGED: Upgraded OpenSSL to 1.0.2a, adding new tls ciphers

to OpenVPN and the https webui

- CHANGED: Updated miniupnpd to 1.9.20150430

- CHANGED: Reverted kernel backport of the parallel printer support,

and reintroduced fix in lprng. This should hopefully fix

the recent printing breakage issues.

- CHANGED: Removed AiProtection's ad blocker, as it's too buggy to

be usable, breaking numerous mobile applications,

and not being configurable in any way.

- CHANGED: OpenVPN policy routing rules are now applied at boot

time (when WAN comes up), so clients who are blocked while

a tunnel is down will immediately be blocked until

the tunnel comes up.

- CHANGED: Upgraded Quantenna firmware to 378_6065 release (AC87)

- FIXED: Router DNS weren't reverted to their original values

when shutting down an OpenVPN client with "explicit-

exit-notify" enabled. Now we manually clean it up

after the user manually terminates the client - it might

still not be cleaned up after an unexpected shutdown however.

Ideally, users should try avoiding using this setting when

possible.

- FIXED: Some legitimate VPN packets could get dropped due to their

conntrack state. Now, only INVALID packets coming from the

WAN interface are dropped.

- FIXED: OpenVPN client would sometime try to connect before the clock had

been set by NTP at boot time, preventing it from connecting.

- FIXED: AiProtection security check would fail to load when Dual WAN is

enabled

- FIXED: Various fields would allow you to enter a single quote character,

which could break the webui. Now these fields re-validate the

content after you deactivate the text field.

- FIXED: Switching between All Traffic and Policy Mode OpenVPN routing while

the option to block traffic when the tunnel goes down wasn't

properly removing those rules, so a tunnel going down in

All Traffic would still block policed clients.

- FIXED: EMF wasn't working on ARM models (missing userspace tool)

378.53 (26-Apr-2015)

- NEW: Merged with Asus GPL 378_4980 (with pieces from 378_4850 for AC56/AC68

and 378_5183 beta for AC87)

- NEW: OpenVPN policy routing. You can select client IPs or destination

IPs which you want to route through your VPN tunnel. You can enter

a single IP (192.168.0.1) or a whole subnet in CIDR format (for

example 74.125.226.112/30).

You can optionally block WAN access to these as well when the

tunnel goes down.

- NEW: Ad blocker based on Trend Micro's Web Reputation System (WRS).

This is an EXPERIMENTAL feature implemented by Asus but that

isn't enabled in the stock firmware.

- CHANGED: Updated Tor to 0.2.5.12

- CHANGED: Those providing a signed SSL certificate for httpd can now

provide chain certificate. The three PEMs must be in

that order: client, intermediate, CA. (Patch by sasoiliev)

- CHANGED: The setting to enable the neighbour solication filter rule

for Comcast's request flooding was changed to "ipv6_ns_drop",

and now defaults to "0" as this hack causes issues with

other ISPs.

- CHANGED: Backported dnsmasq patch that reverts a fix for Windows 8

clients as it could cause issues with other clients.

- FIXED: DNSFilter would fail if you had it set to "Router", and didn't

have a DNS IP entered on the WAN page.

- FIXED: MSS clamping wasn't applied to traffic in both direction, moved

it to the mangle table.

- FIXED: OpenVPN client firewall "external" mode does not exist - removed

from the webui.

- FIXED: PPTP account list could become corrupted after removing an entry

on the PPTP server page.

378.52_2 (5-Apr-2015)

- CHANGED: Updated AiCloud prebuilt binaries for MIPS models

- CHANGED: Applied kernel patch for MIPS kernel ported from 376_3861,

related to CTF support

- FIXED: AiCloud would fail to start unless you had HTTPS enabled for

the webui (causing the key/cert to be missing)

- FIXED: DDNS hostname would become corrupted after backing up

your router configuration (Asus bug)

378.52 (3-Apr-2015)

- NEW: Merged with Asus GPL 378_4608

- NEW: Added ECDHE support to the webui (when accessed over HTTPS)

- NEW: The DHCP server can now provide a second DNS to its clients

- NEW: You can tell the router not to advertise itself as a DNS

- NEW: Experimental Tor support (feature originally developed by

Asus, but not available yet on stock firmware). You can

enable it in the VPN section of the webui.

- CHANGED: Updated miniupnpd to 1.9.20150309

- CHANGED: You can no longer disable the JFFS2 partition if

Traffic Analyzer is enabled. Likewise, you can

no longer enable Traffic Analyzer if the JFFS2

partition is disabled.

- CHANGED: The selected refresh rate of the Wireless Clients

page will be saved to a cookie

- CHANGED: Removed obsolete (non-safe) ciphers such as RC4

from the router's https webui

- CHANGED: Updated OpenSSL to 1.0.0r

- CHANGED: Removed Turbo button support from webui, as that feature

doesn't work with the current bootloader everyone is

using now (RT-AC68)

- CHANGED: Performance optimization to the httpd, dropbear

and rc services

- FIXED: 2.4 GHz and 5 GHz-1 clients were swapped on the

Sysinfo page (RT-AC3200 only)

- FIXED: Wifi PSK wasn't blurred until activated (regression

from 378.51)

- FIXED: Samba's custom config/postconf were ignoring the

state of the global option to enable them (they

would always be used)

- FIXED: Samba's custom config/postconf usage wasn't logged

- FIXED: Some services would fail on their first attempt

to start at boot time due to the QTN subsystem

taking too long. Implemented patch from Asus

which eliminates the long QTN stall at boot

time. This resolves the issue where some users

had trouble connecting their WAN at boot time (RT-AC87U)

- FIXED: NAT rules could occasionally fail to be applied

(patch by john9527)

- FIXED: The Apply button on the Adaptive Bandwidth page

had a clickable area so wide that it even covered

part of the left side menu. (Asus bug)

- FIXED: USB menu was removed instead of Parental Control on

DPI-enabled models

- FIXED: QoS page was still available on the AP/RP modes on

DPI-enabled models

- FIXED: Error on OpenVPN Server page if using a DHCP pool for

connected clients.

- FIXED: UPNP would be reported as enabled on the security report

if it was enabled on the secondary WAN even if Dual WAN

itself wasn't enabled. Now we check that Dual WAN itself

is also enabled before reporting so. (Asus bug)

- FIXED: mtd-erase was unable to erase the brcmnand partition, which

is used as the JFFS2 partition starting with the RT-AC66U

(patch by benoitm974)

- FIXED: JFFS2 partition couldn't be formatted for all routers but

the RT-N66U (wrong partition name). Also resolved the case

where a second reboot was required to mount it.

- FIXED: RT-AC3200 port numbering was reversed on the Sysinfo page.

378.51 (6-Mar-2015)

- CHANGED: Updated OpenSSL to 1.0.0q (no real code change)

- CHANGED: Split the changelog into a separate file

- CHANGED: Added logging on custom config/script execution.

An error message will also be logged if those

are disabled while such a file is found.

- CHANGED: Allow pasting the password in some fields that would

disable it (patch by gfairchild)

- FIXED: RSSI not reported for guest clients (beta 1 regression)

- FIXED: DM failing to install on RT-AC66U (beta 1 regression)

378.51 Beta 1 (28-Feb-2015)

- IMPORTANT: The RT-N16 is no longer officially supported. The increased

number of separate router platforms is becoming too much of

a burden for one single developer, as some features must be

implemented 2-3 separate times for different architectures.

The RT-N16 support will remain in the source code, so other

developers can still compile their own builds, and possibly

take over for supporting this older platform. However, no new

features will be implemented, and it will no longer get

tested. I still welcome external contributions if

someone else wants to take care of testing and providing

fixes to new issues.

- NEW: Added support for the RT-AC3200.

- NEW: ARM support for Entware, using Zyxmon's Qnapware repository.

- NEW: Re-designed Wireless Log page displaying connected wireless

clients. The new page uses Ajax to automatically update

itself at a user-selected frequency, for near realtime

monitoring of your connected wifi clients.

- NEW: NAT loopback can now be chosen between Disable, Asus's original,

and Merlin's own (based on Phuzi0n's original DD-WRT design). The

option can be found on the Firewall page.

- CHANGED: Reverted RT-AC66U driver to previous version as some users

were experiencing stability issues with the 3754 version.

- CHANGED: Updated p910nd to 0.97 to resolve incomplete print jobs

(patch by stsichler)

- CHANGED: Updated Samba to 3.6.25

- CHANGED: The Entware setup scripts will now backup any existing

installation rather than remove it (patch by TeHashX)

- CHANGED: Re-implemented our original NAT loopback code, with attempts

at reconfiguring it whenever the DPI engine is restarted.

This is still experimental, as most of the DPI engine is

closed source, so unsure if the loopback gets re-enabled

in every regular DPI restart scenarios.

- CHANGED: Disabled the offline default error page. Clear your offline

content in your browser to fully get rid of it.

- CHANGED: Removed security warnings if FTP/Samba are configured to

allow unauthenticated users.

- FIXED: Issues when connecting with Russian ISPs relying on DHCP+VPN

(such as Beeline)

- FIXED: When enabling WAN access to webui, the router would always

forward both http and https ports regardless of if either of

these were disabled.

- FIXED: Shared printers over LPRng would sometime fail to

completely print the last page (patch by stsichler)

- FIXED: CVE-2015-0240 security issue in Samba 3.5.8 (used by

AiCloud). The main Samba daemon was patched by the

update to 3.6.25.

378.50 (7-Feb-2015)

- IMPORTANT: You must do a factory default reset, and manually

reconfigure your setting if coming from a version

older than 378.50. Failure to do so can

lead to various issues with wifi, OpenVPN,

and the new AC68U bootloader.

- IMPORTANT: Please read this changelog, especially the changes

related to jffs, user scripts/config and OpenVPN in

the previous 378.50 betas.

- NEW: Merged with Asus GPL 378_4129 code.

- CHANGED: Reverted back to vsftpd 2.x, as 3.0.2 doesn't work properly

on MIPS architectures (and possibly other particular

scenarios as well).

- CHANGED: Added warning to the DDNS page if you set the type

to Custom and either JFFS or custom script support isn't

enabled

- FIXED: A few unescaped quotes in the French dict breaking VPN pages

- FIXED: MAC list would get corrupted when removing and re-adding

entries on the MAC filter list

- FIXED: AC68U CFE update wasn't written to flash due to permission

issues

- FIXED: Static Key field wasn't visible when using HMAC authentication

- FIXED: syslogd was always enforcing the -S switch

- FIXED: When setting a static DHCP from the networkmap, the user-entered

name wouldn't be used. Now it gets used, and we rely on the rc

daemon to properly handle it if it's not a valid hostname (it will

simply not provide it to dnsmasq's static name list).

378.50 Beta 2 (31-Jan-2015)

- NEW: Added custom config and postconf support for avahi, netatalk

and mt-daapd (iTunes server).

- CHANGED: Moved the AC68U CFE update process to the same location

as in GPL 3626 to see if it works more consistently.

- FIXED: Non-DPI build of AC56U had incompatible Tuxera modules

- FIXED: vsftpd wouldn't start if you had IPv6 enabled.

- FIXED: Asus had disabled the NAT loopback fix on MIPS's iptables

in GPL 3762. Re-enabled.

- FIXED: Wireless clients that hadn't communicated in a while wouldn't

be properly shown on the Wireless log (patch by pinwing)

- FIXED: QoS rules weren't applied properly when IPv6 was enabled

(was changed in recent GPL - reverted it)

- FIXED: Can't apply a Custom DDNS if you don't have something entered

in the username/password fields (shown in other DDNS services)

- FIXED: NFS page wasn't properly loading

378.50 Beta 1 (25-Jan-2015)

- IMPORTANT: You must do a factory default reset, and manually

reconfigure your setting. Failure to do so can

lead to various issues with wifi, OpenVPN,

and the new AC68U bootloader.

- IMPORTANT: Please read this changelog, especially the changes

related to jffs, user scripts/config and OpenVPN.

- NEW: Merged with Asus 378_3913 GPL code. Most notable changes:

* Trend Micro DPI engine for RT-AC68U

* Updated Trend Micro engine for RT-AC87U

* Updated Quantenna firmware/driver

* Various updates to 3G/4G support and Dual WAN

- NEW: ddns-start user script, executed after the DDNS update

was launched (can be used to update additional services)

- NEW: Custom DDNS (handled through ddns-start script)

See the documentation for how to create such

a script.

- NEW: Option to enable support for custom scripts and

config files. This option is disabled by default, so

if you have a broken script that prevents the router from

booting, doing a factory default reset will ensure that the

broken script won't be executed, and recover access to the

router. This is necessary since the JFFS2 partition is

now enabled by default.

- CHANGED: Added logo to DNSFilter on the AiProtection

homepage (contributed by Piterel)

- CHANGED: Updated Openssl to 1.0.0p

- CHANGED: Merged Asus's newer NTP update code, with a fix

to prevent hourly log spam from the update process

when in a DST enabled timezone.

- CHANGED: Updated vsftpd to 3.0.2 (newer version used by

Asus on their Qualcomm-based routers)

- CHANGED: the qos-start script will be passed an argument

that will contain "init" (when setting up tc)

or "rules" (when setting up iptables).

- CHANGED: JFFS2 partition is now enabled by default, to be in

sync with Asus, who are starting to make use of this

partition.

- CHANGED: The Local IP in an IPv6 firewall rule can now be

left empty.

- CHANGED: Download Master will now be downloaded at install time

rather than included in the firmware, to increase the

amount of space available to JFFS - this matches

the AC56/AC68. (N16, N66)

- FIXED: Under certain conditions, the OpenVPN server page

would report an initializing state when it was

already running.

- FIXED: First OpenVPN client/server instance wasn't properly

run on the second CPU core, resulting in lower

performance (AC56/AC68/AC87)

- FIXED: Router IP wasn't advertised through DHCP as WINS

server if WINS was enabled

- FIXED: OpenVPN would crash if specifying "None" as

the cipher (regression in OpenVPN 2.3.6)

- FIXED: The "empty" category was removed by Asus a

few months ago, preventing you from removing

an assigned priority on the Adaptive QoS

page. Re-added it.

- FIXED: Port triggers weren't written to the correct

iptables chain (Asus bug)

- FIXED: When moving from stock to this firmware, the OpenVPN

Server 1 instance gets automatically enabled because

Asus hardcodes "1" into the nvram setting that handles

start at wan. Changed to a different nvram to resolve

this conflict. This means everyone must re-enable their

OpenVPN server instance after upgrading from any version

before 376.50.

- FIXED: dnsmasq would run out of available leases if you had a

very small DHCP pool combined with many out-of-pool

reservations. Now the limit will be either 253 or the

pool size, whichever is the largest (Asus issue)

- FIXED: SSHD port forwarding couldn't be enabled/disabled

- FIXED: DHCP log spam when using IPv6 with a Windows 8

client (patch by pinwing)

- FIXED: snmp exposes a lot of sensitive information such as

login credentials, therefore all the custom Asus MIBs

have been disabled.

- FIXED: Very long SSIDs with special characters/spaces in them

would be shown as "undefined" in the banner.

- FIXED: Curl would fail to access SSL sites due to lack of

a CA bundle.

376.49_5 (9-Jan-2015)

- FIXED: Vulnerability in infosvr (CVE-2014-9583) (Asus bug)

- FIXED: Additional security issue in infosvr (incorrect memcpy()

call) (Asus bug)

376.49_4 (27-Dec-2014)

- FIXED: WAN page error when entering a hostname, and broken

UPNP FAQ link

- FIXED: OpenVPN Server wasn't showing the Advertize DNS to

Client option (regression from 3677 merge)

- FIXED: bootloop when enabling Traditional QoS (or any other

feature that forces CTF to be disabled) due to

FA being left enabled (Asus bug) (AC87)

376.49_2 (23-Dec-2014)

- FIXED: Asus DDNS couldn't be configured on the webui

- FIXED: OpenVPN server wouldn't let you edit user accounts

- FIXED: Missing DLNA icon on clients (Asus bug) (N66, AC66)

376.49 (21-Dec-2014)

- NEW: Merged with Asus GPL 376_3677. This new code

includes a lot of changes related to USB modem

support.

- NEW: IPv6 handling based on dnsmasq + odhcp6c. This new

code which has been developped by Asus these past few

months but kept disabled so far has been enabled.

Initial tests show much better reliability with

different ISPs.

- NEW: Added IPv6 support to DNSFilter (currently only

Yandex has IPv6 servers). Note that unlike IPv4

filtering, we cannot automatically NAT queries

to the desire server, so the current implementation

works like Asus's YandexDNS service, where IPv6 servers

are simply returned to DHCPv6/RA client queries,

and ip6tables ensures that you cannot override

them, by rejecting connection to other DNS servers.

- CHANGED: Merged newer DPI engine from 378_3123 beta

(AC87)

- CHANGED: Removed SSLv2 and v3 support from OpenSSL

(we had already stopped using these in

376.48, so this removes unused code)

- CHANGED: The VPN webui is now a bit closer to Asus's code.

This will mostly make it easier to keep in

sync with future changes to that UI by

Asus (they rearranged the layout a bit in

376_36xx).

- CHANGED: Updated OpenVPN to 2.3.6

- CHANGED: Reverted to Asus's max-lease number calculation

for dnsmasq

- CHANGED: Hide wireless key on settings page unless field

has focus (patch by John9527)

- CHANGED: Ported USB 3.0 (XHCI) kernel driver from

Netgear GPL (which seems to have in turn

backported it from upstream kernel 3.x)

- CHANGED: Updated Quantenna to v36.7.3.23 (AC87)

- FIXED: vsftpd wasn't properly compiled with SSL

support.

- FIXED: MAC filtering couldn't be disabled on Guest

networks (Asus bug) (Patch by John9527)

- FIXED: Various fixes and tweaks to the new IPv6

code from Pinwing and saintdev

- FIXED: Editing a client on the networkmap would

cause any matching DHCP reservation entry to

lost its hostname

- REMOVED: The web redirection control setting was

removed, as it is being replaced by the

(simpler) redirection setting Asus added

to the System page.

376.48_3 (20-Nov-2014)

- FIXED: NAT loopback was broken on MIPS devices

(backported Asus fix from 376_3626)

376.48_2 (8-Nov-2014)

- FIXED: Samba would fail to start on the RT-N16 due to a

missing library.

376.48_1 (7-Nov-2014)

- FIXED: Max-lease calculation Asus introduced in 376_2769 is

broken - re-hardcode it to 253 like they used to do in

previous release. Will be properly fixed once they

release a newer GPL with this issue resolved.

(Asus bug)

376.48 (7-Nov-2014)

- NEW: Added the RT-AC68P to the list of supported devices

- CHANGED: Use sha256 checksums instead of MD5 for improved

security when validating your downloads.

(note: checksums are also posted on the support

forum at SmallNetBuilder)

- CHANGED: Switched my fix for unmounted/hidden partition

support with Asus's own fix from GPL 3561.

- FIXED: Samba would fail to start if the router admin username contained

upper case characters. Samba was modified to have it try to

local the UNIX user as provided (it was previously only

trying upper and lower case versions) (Samba 3.6 bug)

376.48 Beta 3 (02-Nov-2014)

- CHANGED: Updated miniupnpd to release 1.9 (plus upstream PCP fix)

- FIXED: Couldn't edit share permissions for Samba if your disk

contained an unmounted/hidden partition (Asus bug in 2769)

- FIXED: Couldn't edit share permissions for Samba for the RT-N66U

internal SDcard reader (Asus bug in 2769)

- FIXED: Missing Max User field to Samba page (Asus bug)

376.48 Beta 2 (26-Oct-2014)

- NEW: Added logo to the webui header

- CHANGED: Samba 3.6 will now use libiconv to handle

charset conversion (will resolve CP850

warnings amongst other things)

- CHANGED: Updated miniupnpd to 20141023 code from Github.

- CHANGED: Updated dropbear to 2014.66.

- CHANGED: Reverted NTP update code to GPL 2678 in hopes of

resolving the few cases where it didn't work anymore.

- FIXED: minidlna is once again able to use inotify for updates.

A temporary workaround has been implemented where

minidlna will be staticly linked with a threadsafe

build of sqlite3, while BWDPI will continue to use

the shared non-threadsafe library. (Asus bug)

376.48 Beta 1 (18-Oct-2014)

- NEW: Merged with Asus 376_2769 AC87 GPL

- NEW: Enabled numerous modules in net-snmp (based on the list

used by OpenWRT)

- NEW: Added postconf and custom config support for snmpd.conf

- NEW: Added HID support to ARM kernel (AC56,AC68,AC87)

- CHANGED: Reverted NAT loopback code to Asus's, since our own

code is currently broken by recent FW code changes.

- CHANGED: Updated openssl to 1.0.0o, resolving a few security issues.

- CHANGED: Disabled SSLv2 and SSLv3 support for https access to the

router webui. IE6 users, your time is up - upgrade.

TLS 1.0 is now the only supported protocol.

- CHANGED: upgraded main Samba server from 3.0.x to 3.6.24. This might

cause a slight drop in performance, but should improve

both reliability and security.

- FIXED: DNSFilter client list dropdown would sometime be empty.

- FIXED: DNS queries run on the router were forwarded to upstream

nameservers instead of the local dnsmasq

- FIXED: Re-added the USB HID kernel module needed for UPS monitoring

(patch by ryzhov_al)

- FIXED: Incorrect top margin on some pages such as AiCloud, and

stretched font on the progress splash (Asus bug)

- FIXED: URL and keyword filtering wasn't working under certain

situations when CTF was enabled

- FIXED: Mac Filtering wasn't working with Guest networks

(Asus bug) (Patch by saintdev)

- FIXED: Chosing a client on the MAC Filter page wasn't properly

filling the Name field. Also reorganized layout a bit.

376.47 (20-Sept-2014)

- NEW: Added sha256 and sha512 HMAC support to dropbear (SSH)

- CHANGED: Moved OpenVPN postconf scripts right before server/client

gets started, so you can also use them to modify the other

generated files such as the exported ovpn config file.

- FIXED: SSHD options visibility (patch by pinwing)

- FIXED: EMF/IGMP settings were reverting to the select profile

default (Asus bug introduced in GPL 2678)

- FIXED: PPTP account list failed to display (regression in Beta 1)

- FIXED: VPN server page was switching back to PPTP when changing

OpenVPN unit and you were initially on the PPTP page

- FIXED: Activity indicator wasn't shown during a networkmap

scan

376.47 Beta 1 (14-Sept-2014)

- NEW: Merged with Asus GPL 2678 (AC87)

- NEW: Report Quantenna FW version on Sysinfo page

- NEW: Enabled experimental FTP and Samba Cloud Sync support in AiCloud.

This feature is still in development by Asus, so it might not be

fully functional yet.

- NEW: Enabled experimental SNMPD support, under Administration -> SNMP.

This feature is still in development by Asus, so it might not be

fully functional yet. (not available on the RT-N16)

- NEW: Added option to enable WAN access to SNMPD, defaults to disabled.

(Asus's implementation has it open to the WAN by default)

- CHANGED: Re-increased max allowed FTP user limit to 10 (was reverted

to 5 in the GPL merge when the setting was moved to the

FTP page)

- FIXED: PPTPD was getting enabled every time you clicked Apply while on

the PPTPD VPN Server page

376.46 (26-Aug-2014)

- NEW: Merged with Asus GPL 2061. This is essentially

the new QTN driver for the AC87.

- FIXED: Various webui issues with IE10/IE11 (patch by pinwing)

- FIXED: OpenVPN Client page was visible on the RT-N16

- FIXED: DHCP pool validation error on VPN Server advanced page.

- FIXED: Couldn't edit the first VPN Client entry due to broken

duplicate check (Asus bug)

376.45 (17-Aug-2014)

- NEW: Compiled vsftpd with SSL support (must be manually

configured if you intend to use it)

- NEW: Report FA state (Level 2 CTF) on Sysinfo page.

- CHANGED: Updated dropbear to 2014.65.

- CHANGED: Updated openssl to 1.0.0n (numerous

security fixes)

- CHANGED: Updated lzo to 2.08

- CHANGED: Reworked VPN Server pages to be more intuitive

- FIXED: Garbled client dropdown selector on DNSFilter page

- FIXED: The Comcast neighbour solicitation block wasn't

enabled anymore (regression in 376.44) (Patch by

Sinshiva)

- FIXED: 5 GHz N+AC mode was incorrectly setting router to

N-only mode (Asus bug, fix backported from 2381,

additional fix by me for AC66)

- FIXED: PControl page failing to display on French and

Italian locales (Asus bug)

- FIXED: IPv6 can occasionally fail to work properly when

using a PPPoE WAN interface (patch by pinwing)

376.44 (3-Aug-2014)

IMPORTANT: Make a backup of your JFFS partition if upgrading

an RT-AC56U or RT-AC68U and you have stored files

on that partition! The partition layout has been

changed.

- NEW: Merged with Asus's 376_2044 GPL.

Summary of changes:

* New networkmap, lets users edit device names,

assign icons to devices, etc...

* Reworked IPv6 support

* New filesystem driver provider for NTFS/HFS+/FAT

* Webui visual update

* Updated components (minidlna, radvd, dnsmasq)

- NEW: Added support for RT-AC87U.

- CHANGED: Updated N66U wireless driver to Asus's 1071 build

- CHANGED: Updated miniupnpd to Git head (as of 20140731)

- CHANGED: The JFFS partition on ARM devices now uses

Asus's code, which means the whole unused space

is now used for the JFFS partition.

(AC56, AC68)

- CHANGED: Made all ARM models use the new filesystem drivers from Tuxera,

resulting in general improved USB disk performance (and

hopefully improved reliability as well) (AC56, AC68)

- CHANGED: The wifi notification icon will now report

channel and channel width for the 5 GHz band,

as the extension channel wasn't always accurately

reported.

- CHANGED: Reworked layout of SSH settings on System page (based

on Asus's own WIP)

- CHANGED: Allow FQDN (hostname + domain) rather than just

hostnames on the WAN page (some ISPs require that)

- FIXED: Missing mDNSResponder daemon preventing mt-daapd

from working on MIPS devices (N16,N66,AC66)

- FIXED: System Log wouldn't properly be positioned

at the bottom (Patch by John9527)

- FIXED: DNSFilter clients configured to bypass DNSFilter

would still be prevented from using an IPv6 DNS.

- FIXED: Incorrect IPv6 prefix if not a multiple of 8

(patch by NickZ)

- FIXED: OpenVPN firewall cleanup was missing rules

(patch by sinshiva)

- FIXED: Minidlna issues with Philips smart TVs

- FIXED: SSHD brute force protection wasn't working if

Dual WAN was enabled and set to LB mode.

- FIXED: Miniupnpd error flood in Syslog when using a

Plex server on your LAN (fix from upstream)

- REMOVED: Reverted various IPv6-related patches as they

conflicted with Asus's own changes. These might

make it back at a later time if deemed

necessary.

- REMOVED: Removed layer7 filtering support in Netfilter from

ARM devices due to compatibility issues (AC56,AC68)

- REMOVED: Removed IPsec support from ARM devices due to

compatibility issues (AC56, AC68)

374.43_2 (7-June-2014)

- FIXED: NTFS disks couldn't be mounted (Paragon driver not

loading due to a kernel change) (AC56, AC68)

374.43 (6-June-2014)

- NEW: User-configurable refresh period to trigger a DDNS

update after a certain number of days.

- CHANGED: dnsmasq option 252 now defaults to an empty string,

to silence broken clients such as Win7.

Important: if you were previously using a customized

252 reply (to use with a valid wpad/pac file), you

will need to use a postconf script to change the

default config instead of appending your own

config.

If you use DNS-based WPAD setting, you will need

to remove the 252 option using postconf, as IE will

not query for the DNS entry if there is a 252

option through DHCP, even if it fails to connect to it.

- CHANGED: Updated miniupnpd to 1.8.20140523.

- CHANGED: Updated openssl to 1.0.0m.

- CHANGED: More backports from OpenSSL 1.0.2, improving SHA

performance on ARM routers.

- CHANGED: The JFFS2 partition is now disabled by default after

a factory default reset.

- FIXED: Media server page wouldn't let you enable the iTunes

server unless you also enabled DLNA (Asus bug)

- FIXED: Restricted guests still had access to the router (Asus

bug introduced in GPL 4887)

- FIXED: 6in4 traffic wasn't bypassing CTF if dualwan mode was

either disabled or set to failover mode (AC56/AC68)

- FIXED: Single character workgroups were rejected as invalid

(Asus bug)

- FIXED: Networks with SSIDs containing single quotes

would break the client list (Asus bug)

- FIXED: Traffic Monitor results are wrong on PPPoE connections

(Asus bug) (Patch by pinwing, additional debugging

by fantom1)

- FIXED: Crash if entering close to 64 MACs plus their names on

the MAC filter page.

374.42_2 (16-May-2014)

- FIXED: Time Machine support (AC56, AC68)

374.42 (9-May-2014)

- NEW: Merged with Asus's 374_5656 GPL.

- NEW: Added Comodo Secure DNS to supported DNSFilter services

- FIXED: Download2 folder wasn't selectable anymore on the

Media Server page.

- FIXED: Pass correct valid and preferred lifetime to radvd when